Re: High Amount of http_inspect: OVERSIZE REQUEST-URI DIRECTORY

[wkitty42 () windstream net]

On 10/05/2017 07:29 AM, Besal Mon wrote:
> Hi,
>
> I was going through on of your reply from Snort mail list below - 
> http://seclists.org/snort/2014/q3/453


wow... that's really old...


> I was hoping if you can advice the below is also because of directory string is 
> longer than the max configured ?


i will do this this once in private... the NOTE at the end of my post(s) still 
applies so this reply is also CC'd to the snort list...


> *[119:15:2] http_inspect: OVERSIZE REQUEST-URI DIRECTORY [Impact: Potentially 
> Vulnerable] From "WKSE0XX1IPS02" at Thu Oct 5 09:06:23 2017 UTC [Classification: 
> Potentially Bad Traffic] [Priority: 2] {tcp} 109.156.91.119:56865 (united 
> kingdom)->62.7.228.234:80 (united kingdom)*
>
> Can you please advice how we can increase the URI lengths.


in your snort.conf, look for the "preprocessor http_inspect" section... then 
look for the "oversize_dir_length" setting and adjust the number larger or 
smaller as desired... you should read the README.http_inspect file, as well... 
probably the other README.* files, too ;)

do NOT remove the '\' at the end of the line when changing that number, 
either... that is the "line continuation" indicator and is needed in this format...

you should look at your server logs or your data of the outgoing requests to see 
what's causing those long URLs... we find a lot of them are for ads... some URLs 
may indicate inbound infiltration or outbound exfiltration attempts... while you 
are looking at the data, you can also determine a decent path length size for 
the number above...

> *Re: High Amount of http_inspect: OVERSIZE REQUEST-URI DIRECTORY*
> --------------------------------------------------------------------------------
>
> /From/: waldo kitty <wkitty42 () windstream net>
> /Date/: Mon, 28 Jul 2014 23:04:44 -0400
> --------------------------------------------------------------------------------
> On 7/28/2014 11:23 AM, Rowell Dionicio wrote:
>
> I’m getting a lot of false positives on: http_inspect: OVERSIZE REQUEST-URI
> DIRECTORY
>   
> I know it’s a preprocessor analyzing http traffic where the directory string is
> longer than the max configured but almost all that I have seen are legitimate
> web traffic.
>   
> this is where tuning comes into play... you have to tune snort for your
> network's traffic... it seems to me that URI lengths have gotten quite long in
> recent years with all the ads and other shite flowing around the net... i set my
> URL lengths to at least 750 characters several years back... i may have also
> suppressed this alert for external sites and kept it active for my hosted servers...
>   
> Does this mean most of the web traffic is just pushing lots of characters into
> the directory string
>   
> yes...
>   
> making this inspection mostly useless?
>   
> the default? yes... but this is why tuning snort (or any other IDS/IPS) is
> mandatory... there is no such thing as a one-size-fits-all installation with
> these things ;)
>   
> It seems that creating an alert that looks for something, a vulnerability,
> within the content using pcre would make more sense.
>   
> that's another aspect and what rules developers do... however, being able to
> detect basic problems like this can also lead one to locating infestations...
>   
> Do most of you suppress these alerts or increase the directory length?
>   
> increase the setting so that it fits your hosted servers... if you have no
> hosted servers, then yes, you might want to suppress the alert...
>   
> HTH ;)
>   
> --
>    NOTE: No off-list assistance is given without prior approval.
>          Please *keep mailing list traffic on the list* unless
>          private contact is specifically requested and granted.



--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!